So today ended up being a day of defending my server. After yesterday’s day of sleeping, I figured I should actually get some work done and sell some sites. I figured the first step would be to get a list of the ones ready to go…that lead me done the path of compromised sites.
To handle all the sites, I set up a little automated script that loops through the list of sites and takes a screen shot. I then review the screen shots to see how things are going on each site and decide which is ready, or at least close to be ready, to go up for sale.
I ended up finding a few sites that had some garbage content on them. After further review, the sites were clearly hacked in some way. I go through the process of cleaning out the content, fixing anything that looks suspicious along the way.
I end up stumbling across some plugins that look like they were the exploit used to get everything else the way it was. I don’t know for sure how the plugins were added, but I deleted them. Then I reset some security plugins and was on my way to the next site.
Right after, and I mean within a couple minutes, I get the alerts from my security plugins that were reset that an admin just logged in…from the Ukraine. So now I have to go back to the site and redo everything I just did since it already has the garbage content added back.
Now, I am searching all sites for the same types of malicious plugins, removing them, updating the administrator passwords, and even disabling the entire log in process on some sites to avoid anyone, including me, from logging in.
From what I found, it looks like something to do with the xmlrpc feature was exploited and things snowballed from there. I went through and disabled that on all the sites.
I spent most of the day cleaning everything up, but really didn’t get any ready to be listed for sale.